We need to protect our API from XSS threats.
For example:
JSON Body:
{ "id": 1, "name": "<script>alert123</script>", "price": 12.50, "tags": ["home", "green"]}
This can be blocked using 'Protect against code injection' assertion.
Options selected: 'HTML/JavaScript Injection(Cross Site Scription)'.
But how about a case where a code is injected using encoded values:
{ "id": 1, "name": "%3Cscript%3Ealert123%3C%5Cscript%3E", "price": 12.50, "tags": ["home", "green"]}
Where decoded values are listed below:
%3C = <
%3E = >
%5C = \
"%3Cscript%3Ealert123%3C%5Cscript%3E = <script>alert123</script>
Gateway is unable to identify such threats and requests are getting processed.
We do have tried by selecting an option 'XPath Injection' in 'Protect against code injection' assertion.
Can someone help to fix this issue?
Regards
Kareem